Congress Authorizes U.S. Offensive CyberAttacks

by Julian Ku

Ah, the 2012 National Defense Authorization Act… has any defense spending bill had so much defense-related legal policy embedded in it? In addition to all the very important stuff about military detentions, it turns out the NDAA also authorizes the U.S. military to engage in offensive cyber-attacks (h/t Gary Schmitt).

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests.

The act further clarifies that such actions should be subject to the

(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.

It is hard to figure out (as Schmitt notes) what the point of this is, since it seems to confirm that the US military has the authority to do what it already has the authority to do (kind of like detaining enemy combatants, actually). I suppose it actually might restrain a more aggressive use of offense cyber-attacks, since it constrains it by limiting it to the “law of armed conflict.” I am also a bit baffled as to how the War Powers resolution would limit such attacks.

The larger issue here about the 2012 NDAA is that its controversial provisions do nothing more than confirm (at least in most cases) pre-existing legal authority: e.g. to conduct the war on Al-Qaeda, to detain enemy combatants outside of the civilian system, to try them in military commissions, and to conduct offensive cyber-attacks. I suppose it is annoying to critics of these policies to see them embedded into statute, but will it have any serious practical difference in the conduct of U.S. government policy? It is hard to see.

7 Responses

Response…
“offensive” operations to “defend”? What nonsense from the perspective of international law! What about Articles 2(4) and 51 (“if an armed attack occurs”) of the United Nations Charter?
Some cyber-attacks on the U.S. might be “armed,” but Article 51 expressly requires that the attack take place.

12.15.2011
at 2:37 pm EST Jordan

Cyberspace is not a real space. Would this allow action against U.S. based servers? Hacking Americans’ accounts? Seems to all fall within the broad text.

Response…
Sorry Eugene — your computer has been hacked in order to “defend our … interests.”

12.15.2011
at 5:21 pm EST Jordan

Response…
Question re: “breaking news” — was the CIA use of a drone to surveil Iranian nuclear sites, etc., like a cyber “attack”? Was it a use of a “weapon”? Is the mere receipt of information not an “attack”? Just an impermissible intervention into Iranian airspace (subject to public opinion, diplomatic, economic, juridic sanctions (the latter if the U.S. agrees))?

12.15.2011
at 5:26 pm EST Jordan

One does get a sense that this particular NDAA is a preparation for an armed conflict next year or in the near future which might entail holding numbers of American citizens or residents (people protesting such an armed conflict?) along with other nationals.
Best,
Ben

12.15.2011
at 5:31 pm EST Benjamin G. Davis

Response…
With respect to detention without trial, there has been recognition that Hamdi was limited to a law of war propriety, covered by the AUMF’s “appropriate” term, and limited to the actual armed conflict in Afghanistan. See also Scalia’s dissent in Hamdi. Thus, some claim that broader detention legislation is needed — e.g., to detain professors who speak out!

December 9, 2016Marrakech Express--Going Slow But Still on Track[Daniel Bodansky is Foundation Professor of Law at the Center for Law and Global Affairs’ Faculty Co-Director at the Sandra Day O'Connor College of Law; an Affiliate Faculty Member, Center for Law, Science & Innovation; an Affiliate Faculty Mem...

December 2, 2016Contextualizing the Debate on First Strikes
[Charles Kels is a major in the U.S. Air Force. His views do not reflect those of the Air Force or Department of Defense.]
The fascinating and edifying debate between Adil Haque (see here, here, here, and here) and, respectively, Deborah Pearlstei...

November 30, 2016The Corrosive Risks of Lawless Leadership
[Geoffrey S. Cornis Professor of Law at South Texas College of Law Houston in Houston Texas. Prior to joining the South Texas College of Law Houston faculty in 2005, Professor Corn served in the U.S. Army for 21 years as an officer, retiring in the ...